Members   Search   FAQ    Register    Login   Home

Show: Today's Messages  :: Show Polls :: Message Navigator

Symfony Security issue - XSS attack on form helpers [message #3872] Mon, 13 March 2006 23:19  pookey Messages: 173 Registered: January 2006 Location: Epsom, Surrey, UK Senior Member Synopsis -------- Symfony's input_tag form helper is vulnerable to cross site scripting attacks. Affected Versions ----------------- 0.6, latest beta. Possibly older versions too. Description ----------- The input_tag will display a value received in the request without sanitising it's content. More information on XSS can be found here - http://en.wikipedia.org/wiki/Cross_site_scripting. A ticket for this bug has been opened on trac. Impact ------ By exploiting the cross-site scripting vulnerabilities, an attacker can execute arbitrary scripts running in the context of the victim's browser. The severity of this issue will vary on a site to site basis. Workaround ---------- Currently there is work arround. Example ------- http://www.askeet.com/search?search=test%22%3E%3Cscript%3Eal ert('XSS');%3C%2Fscript%3E%3Ci [Updated on: Mon, 13 March 2006 23:43] http://shurl.net - the only URL shortening service written with symfony! Report message to a moderator

	Symfony Security issue - XSS attack on form helpers  By: pookey on Mon, 13 March 2006 23:19
	Re: Symfony Security issue - XSS attack on form helpers By: b4pro2 on Tue, 14 March 2006 12:34
	Re: Symfony Security issue - XSS attack on form helpers By: simonbun on Tue, 14 March 2006 13:46
	Re: Symfony Security issue - XSS attack on form helpers By: pookey on Tue, 14 March 2006 14:22
	Re: Symfony Security issue - XSS attack on form helpers By: jgchristopher on Tue, 14 March 2006 15:43
	Re: Symfony Security issue - XSS attack on form helpers By: pookey on Tue, 14 March 2006 16:49
	Re: Symfony Security issue - XSS attack on form helpers By: pookey on Tue, 14 March 2006 16:58
	Re: Symfony Security issue - XSS attack on form helpers By: jgchristopher on Tue, 14 March 2006 17:13
	Re: Symfony Security issue - XSS attack on form helpers By: webdev on Tue, 14 March 2006 18:25
	Re: Symfony Security issue - XSS attack on form helpers By: webdev on Tue, 14 March 2006 18:53
	Re: Symfony Security issue - XSS attack on form helpers By: simonbun on Tue, 14 March 2006 19:31
	Re: Symfony Security issue - XSS attack on form helpers By: jgchristopher on Tue, 14 March 2006 19:56
	Re: Symfony Security issue - XSS attack on form helpers By: b4pro2 on Tue, 14 March 2006 21:12
	Re: Symfony Security issue - XSS attack on form helpers By: tamcy on Wed, 15 March 2006 05:03
	Re: Symfony Security issue - XSS attack on form helpers By: pookey on Wed, 15 March 2006 13:07
	Re: Symfony Security issue - XSS attack on form helpers By: tamcy on Wed, 15 March 2006 13:23
	Re: Symfony Security issue - XSS attack on form helpers By: simonbun on Wed, 15 March 2006 14:08
	Re: Symfony Security issue - XSS attack on form helpers By: pookey on Wed, 15 March 2006 14:21
	Re: Symfony Security issue - XSS attack on form helpers By: scott on Fri, 17 March 2006 19:13
	Re: Symfony Security issue - XSS attack on form helpers By: tamcy on Fri, 17 March 2006 19:29
	Re: Symfony Security issue - XSS attack on form helpers By: tamcy on Fri, 17 March 2006 19:51
	Re: Symfony Security issue - XSS attack on form helpers By: gucky on Thu, 13 July 2006 14:58
	Re: Symfony Security issue - XSS attack on form helpers By: RoVeRT on Fri, 17 March 2006 21:29
	Re: Symfony Security issue - XSS attack on form helpers By: debea on Sat, 18 March 2006 22:26

Previous Topic:	JSON - multiple ajax calls - revisited
Next Topic:	[resolved] Using .htaccess password with myUser class

Goto Forum: